CVE-2025-62416 | THREATINT

Description

Bagisto is an open source laravel eCommerce platform. Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side templating engine when rendering product descriptions. This allows an attacker with product creation privileges to inject arbitrary template expressions that are evaluated by the backend — potentially leading to Remote Code Execution (RCE) on the server. This vulnerability is fixed in 2.3.8.

PUBLISHED Reserved 2025-10-13 | Published 2025-10-16 | Updated 2025-10-17 | Assigner GitHub_M

MEDIUM: 5.1CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

Product status

< 2.3.8

affected

References

github.com/...agisto/security/advisories/GHSA-527q-4wqv-g9wj

cve.org (CVE-2025-62416)

nvd.nist.gov (CVE-2025-62416)

Download JSON